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Federation of European Data and Marketing 


EDPB consultation on draft Guidelines 9/2022 on 
personal data breach notification under GDPR 


FEDMA is pleased to provide its input to the European Data Protection Board’s (EDPB) draft targeted 
Guidelines 9/2022 on personal data breach notification under GDPR. 


Though the additional paragraph is in line with the current version of the Guidelines, the draft update 
to the document does not address the main hurdles that companies face when notifying a data 
breach, but it even consolidates them. Specifically, FEDMA wishes to highlight the following issues: 


e Having to submit a national notification form “to every single authority for which affected data 
subjects reside in their Member State”, companies need to navigate through different national 
notification form systems which are generally difficult to fill out and sometimes have to be filled 
out online, making it difficult for multiple and geographically spread teams to fill out the relevant 
sections. The breach notification process to the DPAs should thus be simplified with a centralised, 
single reporting form in English applicable across all EU countries (and translated into local 
languages, as the case may be). 


e Though the current Guidelines provide clarifications on the concept of “awareness” related to 
a data breach, there remains a degree of uncertainty around the reporting time frame when a 
weekend or bank holiday falls into the notice period of 72 hours. Companies have also voiced 
concern on the lack of clarity on the cases when DPAs would accept a delayed notification, 
where such notification cannot be made within 72 hours. FEDMA thus recommends furthering 
the dialogue between the EDPB, DPAs and industry to define use cases and scenarios or 
thresholds where such delayed notification would be expected. 


e Wealso deem necessary to provide more clarity in which cases a breach is unlikely to result in a 
risk to the rights and freedoms of individuals. As a result of this uncertainty, many organisations 
tend to over report data breaches, often with an excessive amount of information. This does not 
only represent an unnecessary burden for companies, but it results in “swamping” DPAs with 
thousands of unnecessary or trivial notifications. FEDMA believes that the EDPB should work 
together with organisations to build consensus and updated guidance with examples of non- 
reportable breaches. 
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